PhenixID products is based on Java, which uses JRE’s trust store by default. This article explains how to configure PhenixID products to use Windows trust store when it is running on a Microsoft Windows system.
Prerequisite
PhenixID product installed on Windows OS.
Overview
JAVA default trust store
In most cases,we use a truststore when our application needs to communicate over SSL/TLS. Java has bundled a truststore calledcacertsand it resides in the$JAVA_HOME/jre/lib/securitydirectory.
When the PhenixID products is running on a Microsoft Windows environment, you can configure them to use the Windows environment’s trust store, so that the Windows administrators can manage the trusted certificates. Configure the property javax.net.ssl.trustStoreType with value Windows-ROOT to instructs Java to refer to the native Windows ROOT keystore for trusted certificates, which includes root CAs.
Configuration
PhenixID Identity Provisioning (PIP)
Configure PIP use Windows keystore.
Open Windows Explorer and find files:
Provisioning Configurator.vmoptions
Provisioning Service.vmoptions
Open the files with an text editor
Add the following JAVA option to both files
-Djavax.net.ssl.trustStoreType=Windows-ROOT
Save and close both files
Restart PIP service and/or PIP Configurator
NOTE: An upgrade of PIP should keep this setting. But good practice is to verify the setting after an upgrade!
NOTE: An upgrade of PIM should keep this setting. But good practice is to verify the setting after an upgrade!
PhenixID Authentication Server (PAS)
Please add the following java option to “phenixidservice.vmoptions”
-Djavax.net.ssl.trustStoreType=Windows-ROOT
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.
The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.
To determine what SSL/TLS keystore and truststore a Java™ application is using, you can set the JVM property javax.net.debug=true and re-create the error. sslsocket: SSL Socket created.
You can create the truststore file as part of the import process. The Java keytool utility is available with the Java JRE, which is not available on the HMC. You must use the keytool utility from a computer where Java JRE is installed. You can use any name and password for the truststore file.
The Java trust store is only updated when you update the JRE. If you want do add new CA certificates you need to do this in your own. In my experience this is not necessary for public CAs if you keep your JRE up to date.
Java stores the trusted certificates in a special file named cacerts that lives inside our Java installation folder. The default password for this KeyStore is “changeit”, but it could be different if it was previously changed in our system.
Under Administration > Configuration, click Trusted Certificate Management. The Trusted Certificate Management page opens. Click Java Trust Store. The Java Trust Store tab lists the alias and expiration date of each certificate in the Java trust store.
The init method initializes the TrustManagerFactory with the given TrustStore. As a side note, Java KeyStore and TrustStore are both represented by the KeyStore Java class. So when we pass null as an argument, TrustManagerFactory would initialize itself with default TrustStore (cacerts).
Address: Apt. 994 8891 Orval Hill, Brittnyburgh, AZ 41023-0398
Phone: +26417467956738
Job: District Marketing Strategist
Hobby: Embroidery, Bodybuilding, Motor sports, Amateur radio, Wood carving, Whittling, Air sports
Introduction: My name is Prof. An Powlowski, I am a charming, helpful, attractive, good, graceful, thoughtful, vast person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.